kubeadm部署环境的证书更新

277 阅读4分钟

场景

使用 kubeadm 安装 kubernetes 集默认的证书有效期只有一年时间,所以需要考虑证书升级的问题,官方推荐的是直接升级集群的版本,这样的话就可以初始化证书的有效期了,但是kubeadm本身支持证书更新延续一年的方法,做之前需要对一些数据进行备份,方便后面回滚

说明 上面的列表中没有包含 kubelet.conf 因为 kubeadm 将 kubelet 配置为自动更新证书。

查看证书到期时间

由于这个环境证书我之前更新过,所以显示的时间并没有过期,但是不影响后面的操作

`[root@dm01 ~]# kubeadm alpha certs check-expiration`
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Feb 04, 2022 02:36 UTC   318d                                    no      
apiserver                  Feb 04, 2022 02:36 UTC   318d            ca                      no      
apiserver-etcd-client      Feb 04, 2022 02:36 UTC   318d            etcd-ca                 no      
apiserver-kubelet-client   Feb 04, 2022 02:36 UTC   318d            ca                      no      
controller-manager.conf    Feb 04, 2022 02:36 UTC   318d                                    no      
etcd-healthcheck-client    Feb 04, 2022 02:36 UTC   318d            etcd-ca                 no      
etcd-peer                  Feb 04, 2022 02:36 UTC   318d            etcd-ca                 no      
etcd-server                Feb 04, 2022 02:36 UTC   318d            etcd-ca                 no      
front-proxy-client         Feb 04, 2022 02:36 UTC   318d            front-proxy-ca          no      
scheduler.conf             Feb 04, 2022 02:36 UTC   318d                                    no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Sep 23, 2030 04:11 UTC   9y              no      
etcd-ca                 Sep 23, 2030 04:11 UTC   9y              no      
front-proxy-ca          Sep 23, 2030 04:11 UTC   9y              no      

前期备份工作

备份证书文件:

`# mkdir /etc/kubernetes.bak`
`# cp -r /etc/kubernetes/pki/ /etc/kubernetes.bak`
`# cp /etc/kubernetes/*.conf /etc/kubernetes.bak`

备份etcd数据

`# cp -r /var/lib/etcd /var/lib/etcd.bak`

获取到集群的kubeadm的配置信息

`# kubeadm config view >kubeadm.yaml `

执行证书更新的命令

`[root@dm01 ~]# kubeadm alpha certs renew all --config=kubeadm.yaml`
W0322 13:56:47.613673    5677 configset.go:348] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

查看证书日期

`[root@dm01 ~]# kubeadm alpha certs check-expiration`
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Mar 22, 2022 05:56 UTC   364d                                    no      
apiserver                  Mar 22, 2022 05:56 UTC   364d            ca                      no      
apiserver-etcd-client      Mar 22, 2022 05:56 UTC   364d            etcd-ca                 no      
apiserver-kubelet-client   Mar 22, 2022 05:56 UTC   364d            ca                      no      
controller-manager.conf    Mar 22, 2022 05:56 UTC   364d                                    no      
etcd-healthcheck-client    Mar 22, 2022 05:56 UTC   364d            etcd-ca                 no      
etcd-peer                  Mar 22, 2022 05:56 UTC   364d            etcd-ca                 no      
etcd-server                Mar 22, 2022 05:56 UTC   364d            etcd-ca                 no      
front-proxy-client         Mar 22, 2022 05:56 UTC   364d            front-proxy-ca          no      
scheduler.conf             Mar 22, 2022 05:56 UTC   364d                                    no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Sep 23, 2030 04:11 UTC   9y              no      
etcd-ca                 Sep 23, 2030 04:11 UTC   9y              no      
front-proxy-ca          Sep 23, 2030 04:11 UTC   9y              no      

可以看到证书时间进行了改变,变为了当前时间延续一年的有效期

更新kubeconfig文件

`[root@dm01 ~]# kubeadm init phase kubeconfig all --config kubeadm.yaml`
W0322 13:57:22.000723    6057 configset.go:348] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/admin.conf"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/kubelet.conf"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/controller-manager.conf"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/scheduler.conf"

生成的新的config文件覆盖老的

`# mv $HOME/.kube/config $HOME/.kube/config.old`
`# cp -i /etc/kubernetes/admin.conf $HOME/.kube/config`
`# chown $(id -u):$(id -g) $HOME/.kube/config`

重启kubeadpi、kube-controller、kube-scheduler、etcd四个容器,直接通过mv走这四个点配置文件就可以解决

`# mv manifests manifests.bak`
`# docker ps | grep -I api`  //等待容器停止后然后在mv回来就可以了
`# mv manifests.bak manifests`

可以查看apiserver的证书的有效期来验证是否更新成功,可以看到已经是一年后的时间

`[root@dm01 /etc/kubernetes]# echo | openssl s_client -showcerts -connect 127.0.0.1:6443 -servername api 2>/dev/null | openssl x509 -noout -enddate`
notAfter=Mar 22 05:56:48 2022 GMT